Renewing SSL certificate issues with an old CA Root X3

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command: Webmin (Let's encrypt)

It produced this output:DST Root CA X3 - Valid from 9/30/2000 to 9/30/2021

My web server is (include version):https://(N/A)

The operating system my web server runs on is (include version):linux

My hosting provider, if applicable, is: GCP

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):webmin SSL configuration

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I am using the GUI from webmin

How can I renew it with a different DST Root CA number. As you can see the certificate renews for 3 months but it is strangely assigned to an expired Let's encrypt certificate.

Thank you!


Hi @despinosa, welcome to the LE community forum :slight_smile:

How did you check that?

I think you might be getting fooled by your own browser [which is likely trying to build the cert chain].

The chain served by the webserver is updated.

Thanks, rg305,

I get this on the certificate chain enrolled to it. Please see screenshots.

After 9/30 the trust certificate will not authenticate, this is my concern.

Thank you for your support,


Having similar issues with winacme (wacs.exe) & wincertes.
My web server: IIS 7
Operating System: Windows Server 2019 Standard
Hosting: Self
I can log into a root shell on my machine: yes
Control Panel: none
version of my client: winacme 2.1.18; wincertes 1.4.3

This is just Windows doing random things, disregard that.

This is the correct chain. This server is sending everything correctly.

The expiring DST Root CA X3 is intentional. This certificate by IdenTrust is pretty much end of life. That's why ISRG Root X1 - a (new) root by Let's Encrypt - is in the chain, so validators can use that. DST Root CA X3 is still included for older Android compatibility.

1 Like

That is not necessarily what is being served.
That is what is being used (after being built) by your system.

  • use an online tool (like the one I linked)
  • use OpenSSL to retrieve the certs
1 Like

Thanks for the clarification and details. rg305 and Nummer378! I was concern it is was something not intentional and our SSL will crash. After this date, when enrolling the DST will not be reported in the chain trust. I do see my certificates are in a healthy state. Thank you!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.